Imagine for a moment that you’re a contestant on Jeopardy!. The category is “Cybersecurity,” and the answer is “$3 trillion dollars.” What’s the question?
Would you have guessed, “What is the total global impact of cybercrime?” If so, you’d be a winner.
Too often, companies choose to believe they won’t be affected by security breaches. And too often they’re wrong. That means a whole lot of companies are losing—financially and reputationally.
“It’s often not until businesses have been hit that they realize there’s an issue and a need to be proactive and put resources into this area,” says Jo Stewart-Rattray, director of information security and IT assurance at BRM Holdich.
As international president of ISACA, a global association of 115,000 information systems security, assurance, and governance professionals, I urge you to take a more effective approach to cybersecurity—one that will save your organization money and preserve its reputation.
ISACA defines cybersecurity as “the actions related to protecting information assets by addressing threats to information processed, stored, and transported by information systems that are internetworked.” To effectively address cybersecurity, an organization’s approach must be holistic. Technology alone is not the solution. Instead, a number of elements must be considered, including people and processes.
“If a cybersecurity program isn’t holistic—for example, if it deals only with technology and does not address elements like organization, culture, or the human factor—one should not be too optimistic about the effectiveness of the program,” says Dr. Christos Dimitriadis, head of information security for INTRALOT Group. Using a governance framework like COBIT, organizations can systemically and holistically transform their cybersecurity strategies.
A Governance Focus
Cybersecurity governance is both preventive and corrective. It covers the preparations and precautions taken against cybercrime and cyberwarfare, and it determines the processes and procedures needed to deal with incidents that occur.
In Transforming Cybersecurity Using COBIT 5, ISACA recommends starting with these eight principles:
Know the potential impact of cybercrime and cyberwarfare. The concept of cybersecurity should be seen in light of potential damage and the wide-ranging impacts of cybercrime and cyberwarfare. To adequately manage cybersecurity, the tolerable levels of risk and business impact must be known or carefully estimated. This includes in-depth knowledge about the ways in which end users may be targeted and affected by cybersecurity attacks and incidents.
Understand end users, their cultural values, and their behavior patterns. As the ISACA guide notes, “Business impact and business risk relating to cybersecurity arrangements are strongly influenced by organizational and individual culture.” The culture—and the resulting end-user behaviors and patterns—should be accounted for in the enterprise’s strategic, tactical, and operational security measures.
Clearly state the business case for cybersecurity and the risk appetite of the enterprise. The business case outlining expected value and tolerable risk will drive the overall cybersecurity strategy. As a result, the business case must have depth and definition. Among its contents, it must include cost-benefit considerations and the organization’s culture and values pertaining to cybersecurity.
Establish cybersecurity governance. There’s no need to reinvent the wheel here. Adopting and customizing a governance framework, such as COBIT, will give you the tried, tested, and proven governance guidance you need. By effectively governing cybersecurity, an organization provides a clear sense of direction and boundaries.
Manage cybersecurity using principles and enablers. The principles and enablers found in COBIT 5 will help your organization ensure end-to-end governance that meets stakeholder needs, covers the enterprise, and provides a holistic approach, among other benefits. The processes, controls, activities, and key performance indicators associated with each enabler will provide the enterprise with a comprehensive picture of cybersecurity.
Know the cybersecurity assurance universe and objectives. Cybersecurity covers multiple areas and aspects within information security. To provide adequate assurance over cybersecurity, the cybersecurity universe must be well defined, and the assurance objectives must be clear and manageable.
Provide reasonable assurance over cybersecurity. This principle requires all three lines of defense within an enterprise to be defined and managed. This includes monitoring, internal reviews, audits, and, as needed, investigative and forensic analysis.
Establish and evolve systemic cybersecurity. Cyberattacks target the weakest link in the system. As a result, cybersecurity must be looked at as a system of interdependent elements and the links between them. To optimize cybersecurity, the enterprise must have a complete understanding of this dynamic system and must be fully aware that security governance, management, and assurance cannot be viewed in isolation.
A People Focus
A 2014 Symantec report notes that the total number of breaches in 2013 was 62 percent greater than in 2012, with eight of the breaches exposing more than 10 million identities each. Organizations are also facing an increase in advanced persistent threats (APTs), which infiltrate a system by stealth, can take months or years to detect, and are aimed squarely at commercial gain—typically the theft of credit card information, customer data, or proprietary intellectual property. ISACA’s research shows that 66 percent of organizations feel it’s likely they will be the target of an APT attack.
Despite this increase in cyberattacks, many organizations do not appear to be aggressively increasing the number or skills of their cybersecurity staff. ISACA’s 2014 APT Survey found that more than half of the organizations polled (62%) aren’t increasing security training in 2014.
Yet even the organizations that recognize they need to add cybersecurity professionals to their staff face a daunting challenge: there are more job openings than there are qualified professionals. A study by Cisco estimates that close to 1 million positions for security professionals are currently unfilled.
There are several reasons for this shortage. One is that it’s not a trivial task to master the knowledge required to become truly effective at threat detection and mitigation. Countering a sophisticated attack by a well-resourced adversary requires much more than a set of baseline security practices. It demands specialist security skills, intelligence-led risk assessments, street-smart education of staff, and state-of-the-art forensic analysis skills. Ideal candidates are well-rounded and have a solid foundation in networking, operating systems, web technologies, and incident response, and an understanding of the threat landscape and risk management.
Another contributor to the cybersecurity skills shortage is that postsecondary educational institutions aren’t producing a sufficient quantity of new graduates with the skills to satisfy government and enterprise needs. A number of vendors, government, and nonprofit institutions are partnering with universities to provide educational resources on this subject. ISACA, for example, already provides professors with the Model Curriculum for Information Security Management, and is planning to make available cybersecurity case studies, teaching notes, and a student book later this year. However, this academic/corporate collaboration is not common, and the number of cybersecurity-trained graduates emerging from universities in a typical year falls far short of the millions of new hires and experts needed today.
ISACA recently polled 171 of its student members at academic institutions around the world on the subject of cybersecurity. Nearly 90 percent of respondents plan to work in a field or job that requires some level of cybersecurity knowledge. Yet only 47 percent feel they’ll have adequate cybersecurity knowledge to do the types of jobs they’re seeking. Interestingly, only 23 percent said their universities don’t offer courses in cybersecurity, so concerns about inadequate knowledge can’t be attributed solely to course availability.
Advanced threat vectors and emerging technologies require cybersecurity professionals to be skilled in technology. But that’s not enough. Cybersecurity as a discipline includes the social environment of people, enterprises, and related processes. In addition to other types of risk, social risk primarily arises from people and their behavior, human factors in IT use, and the emergence of change within the overall system.
To raise awareness of threats within an organization and drive behavioral changes, cybersecurity professionals should also be skilled at speaking the language of business, understanding their employer’s business strategy and organizational structure, and communicating effectively with employees at all levels in the organization, from the mail room to the board room.
In the event of an incident, these skills are even more important, as an organization’s specialist team of IT and cybersecurity professionals—often referred to as the CSIRT (computer security incident response team)—must have the skills to effectively navigate managing a major incident, conducting a forensic analysis, investigating the likely business impact, and preparing a postmortem report for senior management and often board members.
Cybersecurity mastery is a journey, not a single moment in time. Whether they’re recent university graduates or practitioners with several decades of experience, these professionals need information and access to peers and mentors that will evolve as their career evolves.
The growing cybersecurity skills crisis will not disappear in the near future. However, with many companies, schools, government institutions, and professional associations raising awareness about the issues and collaborating to identify solutions, strides are being made toward broadening the global talent pool of cyberdefenders and making progress in the ongoing battle against cyberattacks.
A Solutions Focus
Consider this sobering statistic from the ISACA APT survey: one in five organizations has experienced an APT attack.
Clearly there’s a significant need among cybersecurity professionals for opportunities to come together to address complex cybersecurity problems and share solutions. ISACA recently launched the Cybersecurity Nexus to provide a single, international source of cybersecurity tools and services. In addition to ISACA’s existing guidance, such as the aforementioned COBIT publication, new resources will include mentoring programs, training opportunities, a clear career and credentialing path for professionals to follow, and data that helps professionals get a sense of where their organizations are now and where they need to be headed.
Cybersecurity is a daunting issue—and a potentially expensive one, when we take a look at that $3-trillion figure—but it’s one we can go a long way toward addressing if we approach it from a people, process, and technology perspective.
Rob Stroud, VP of strategy and innovation at CA Technologies, is dedicated to the development of industry trends and strategies, and the communication of industry best practices. He is currently the international president of ISACA, and he’s the author of several standards publications, including COBIT 4.0, 4.1, and COBIT 5, guidance for Basel II, and multiple mappings of COBIT to various frameworks and standards.
Rob will be presenting sessions on the service catalog and the Internet of Things at FUSION 14 (sessions #203 and #505).